hxxp://hripts/main/linux[.]shercontent[.]com/Lachine1/xmrig-scripts/main/linux[.]sh

Analysis

max time kernel
0s
max time network
384s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
19-09-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh

Score

3^/10

discovery

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/1574/attr/apparmor/current	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/1574/status	dbus-daemon
File opened for reading	/proc/1569/cmdline	dbus-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/1590/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1568	xdg-open
1659	firefox

/usr/bin/xdg-open
xdg-open http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh
1⤵
- System Network Configuration Discovery
PID:1568
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1569
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
    3⤵
    PID:1570
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1572
- /usr/bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  - Reads runtime system information
  PID:1576
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1575
- /usr/bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  - Reads runtime system information
  PID:1578
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1577
- /usr/bin/grep
  grep -q "^Enlightenment"
  2⤵
  - Reads runtime system information
  PID:1580
- /usr/bin/uname
  uname
  2⤵
  PID:1581
- /usr/bin/grep
  grep -q "^file://"
  2⤵
  - Reads runtime system information
  PID:1583
- /usr/bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  - Reads runtime system information
  PID:1585
- /usr/bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  - Reads runtime system information
  PID:1588
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/http
  2⤵
  PID:1589
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1590
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
      4⤵
      PID:1591
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    - Reads runtime system information
    PID:1593
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1592
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    - Reads runtime system information
    PID:1595
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1594
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    - Reads runtime system information
    PID:1597
- - /usr/bin/uname
    uname
    3⤵
    PID:1598
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1601
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1606
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1605
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1604
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1603
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1611
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1610
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1609
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1608
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1616
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1615
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1614
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1613
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1621
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1620
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1619
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1618
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1626
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1625
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1624
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1623
- /usr/bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1629
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1632
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1635
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1640
- /usr/bin/which
  which firefox
  2⤵
  PID:1641
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1644
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1647
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1655
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1658
- /usr/bin/firefox
  /usr/bin/firefox http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh
  2⤵
  - System Network Configuration Discovery
  PID:1659

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.dbus/session-bus/f2de92a803c744e586bd87567a26b68a-0

Filesize
465B

MD5
cfb6b36bd9e55392c99441ea0798e5f4

SHA1
d819e181c9d5d8d1e7f40564b6b19cef0202d735

SHA256
5828ef3ca9e72cafdba9490b2f9d9f451ee3105efde4837cdec4bcd16228f39c

SHA512
066fb1f1ffca4791e9b11c98f15b1282cc369c0338d99a1a856dbd0d0c273fdf9e571af0de5bc274e2df0c6f92e8d45badf50b8738d60df9b71671f3226da707

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads